suricata
detect-isdataat.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Pablo Rincon <pablo.rincon.crespo@gmail.com>
22  *
23  * Implements isdataat keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "debug.h"
28 #include "decode.h"
29 #include "detect.h"
30 #include "detect-engine.h"
31 #include "detect-parse.h"
32 #include "app-layer.h"
33 
34 #include "util-unittest.h"
35 #include "util-unittest-helper.h"
36 
37 #include "detect-isdataat.h"
38 #include "detect-content.h"
39 #include "detect-uricontent.h"
40 
41 #include "flow.h"
42 #include "flow-var.h"
43 
44 #include "util-debug.h"
45 #include "util-byte.h"
46 #include "detect-pcre.h"
47 #include "detect-bytejump.h"
48 #include "detect-byte-extract.h"
49 
50 /**
51  * \brief Regex for parsing our isdataat options
52  */
53 #define PARSE_REGEX "^\\s*!?([^\\s,]+)\\s*(,\\s*relative)?\\s*(,\\s*rawbytes\\s*)?\\s*$"
54 
55 static pcre *parse_regex;
56 static pcre_extra *parse_regex_study;
57 
58 int DetectIsdataatSetup (DetectEngineCtx *, Signature *, const char *);
60 void DetectIsdataatFree(void *);
61 
62 static int DetectEndsWithSetup (DetectEngineCtx *de_ctx, Signature *s, const char *nullstr);
63 
64 /**
65  * \brief Registration function for isdataat: keyword
66  */
68 {
69  sigmatch_table[DETECT_ISDATAAT].name = "isdataat";
70  sigmatch_table[DETECT_ISDATAAT].desc = "check if there is still data at a specific part of the payload";
71  sigmatch_table[DETECT_ISDATAAT].url = DOC_URL DOC_VERSION "/rules/payload-keywords.html#isdataat";
72  /* match is handled in DetectEngineContentInspection() */
77 
78  sigmatch_table[DETECT_ENDS_WITH].name = "endswith";
79  sigmatch_table[DETECT_ENDS_WITH].desc = "make sure the previous content matches exactly at the end of the buffer";
80  sigmatch_table[DETECT_ENDS_WITH].url = DOC_URL DOC_VERSION "/rules/payload-keywords.html#endswith";
81  sigmatch_table[DETECT_ENDS_WITH].Setup = DetectEndsWithSetup;
83 
84  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
85 }
86 
87 /**
88  * \brief This function is used to parse isdataat options passed via isdataat: keyword
89  *
90  * \param isdataatstr Pointer to the user provided isdataat options
91  *
92  * \retval idad pointer to DetectIsdataatData on success
93  * \retval NULL on failure
94  */
95 static DetectIsdataatData *DetectIsdataatParse (const char *isdataatstr, char **offset)
96 {
97  DetectIsdataatData *idad = NULL;
98  char *args[3] = {NULL,NULL,NULL};
99 #define MAX_SUBSTRINGS 30
100  int ret = 0, res = 0;
101  int ov[MAX_SUBSTRINGS];
102  int i=0;
103 
104  ret = pcre_exec(parse_regex, parse_regex_study, isdataatstr, strlen(isdataatstr), 0, 0, ov, MAX_SUBSTRINGS);
105  if (ret < 1 || ret > 4) {
106  SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret %" PRId32 ", string %s", ret, isdataatstr);
107  goto error;
108  }
109 
110  if (ret > 1) {
111  const char *str_ptr;
112  res = pcre_get_substring((char *)isdataatstr, ov, MAX_SUBSTRINGS, 1, &str_ptr);
113  if (res < 0) {
114  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
115  goto error;
116  }
117  args[0] = (char *)str_ptr;
118 
119 
120  if (ret > 2) {
121  res = pcre_get_substring((char *)isdataatstr, ov, MAX_SUBSTRINGS, 2, &str_ptr);
122  if (res < 0) {
123  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
124  goto error;
125  }
126  args[1] = (char *)str_ptr;
127  }
128  if (ret > 3) {
129  res = pcre_get_substring((char *)isdataatstr, ov, MAX_SUBSTRINGS, 3, &str_ptr);
130  if (res < 0) {
131  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
132  goto error;
133  }
134  args[2] = (char *)str_ptr;
135  }
136 
137  idad = SCMalloc(sizeof(DetectIsdataatData));
138  if (unlikely(idad == NULL))
139  goto error;
140 
141  idad->flags = 0;
142  idad->dataat = 0;
143 
144  if (args[0][0] != '-' && isalpha((unsigned char)args[0][0])) {
145  if (offset == NULL) {
146  SCLogError(SC_ERR_INVALID_ARGUMENT, "isdataat supplied with "
147  "var name for offset. \"offset\" argument supplied to "
148  "this function has to be non-NULL");
149  goto error;
150  }
151  *offset = SCStrdup(args[0]);
152  if (*offset == NULL)
153  goto error;
154  } else {
155  if (ByteExtractStringUint16(&idad->dataat, 10,
156  strlen(args[0]), args[0]) < 0 ) {
157  SCLogError(SC_ERR_INVALID_VALUE, "isdataat out of range");
158  SCFree(idad);
159  idad = NULL;
160  goto error;
161  }
162  }
163 
164  if (args[1] !=NULL) {
165  idad->flags |= ISDATAAT_RELATIVE;
166 
167  if(args[2] !=NULL)
168  idad->flags |= ISDATAAT_RAWBYTES;
169  }
170 
171  if (isdataatstr[0] == '!') {
172  idad->flags |= ISDATAAT_NEGATED;
173  }
174 
175  for (i = 0; i < (ret -1); i++) {
176  if (args[i] != NULL)
177  SCFree(args[i]);
178  }
179 
180  return idad;
181 
182  }
183 
184 error:
185  for (i = 0; i < (ret -1) && i < 3; i++){
186  if (args[i] != NULL)
187  SCFree(args[i]);
188  }
189 
190  if (idad != NULL)
191  DetectIsdataatFree(idad);
192  return NULL;
193 
194 }
195 
196 /**
197  * \brief This function is used to add the parsed isdataatdata into the current
198  * signature.
199  * \param de_ctx pointer to the Detection Engine Context
200  * \param s pointer to the Current Signature
201  * \param isdataatstr pointer to the user provided isdataat options
202  *
203  * \retval 0 on Success
204  * \retval -1 on Failure
205  */
206 int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, const char *isdataatstr)
207 {
208  SigMatch *sm = NULL;
209  SigMatch *prev_pm = NULL;
210  DetectIsdataatData *idad = NULL;
211  char *offset = NULL;
212  int ret = -1;
213 
214  idad = DetectIsdataatParse(isdataatstr, &offset);
215  if (idad == NULL)
216  return -1;
217 
218  int sm_list;
219  if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
220  if (DetectBufferGetActiveList(de_ctx, s) == -1)
221  goto end;
222  sm_list = s->init_data->list;
223 
224  if (idad->flags & ISDATAAT_RELATIVE) {
226  }
227  } else if (idad->flags & ISDATAAT_RELATIVE) {
228  prev_pm = DetectGetLastSMFromLists(s,
231  DETECT_ISDATAAT, -1);
232  if (prev_pm == NULL)
233  sm_list = DETECT_SM_LIST_PMATCH;
234  else {
235  sm_list = SigMatchListSMBelongsTo(s, prev_pm);
236  if (sm_list < 0)
237  goto end;
238  }
239  } else {
240  sm_list = DETECT_SM_LIST_PMATCH;
241  }
242 
243  if (offset != NULL) {
244  SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(offset, s);
245  if (bed_sm == NULL) {
246  SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
247  "seen in isdataat - %s\n", offset);
248  goto end;
249  }
250  idad->dataat = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
251  idad->flags |= ISDATAAT_OFFSET_BE;
252  SCLogDebug("isdataat uses byte_extract with local id %u", idad->dataat);
253  SCFree(offset);
254  offset = NULL;
255  }
256 
257  /* 'ends with' scenario */
258  if (prev_pm != NULL && prev_pm->type == DETECT_CONTENT &&
259  idad->dataat == 1 &&
261  {
262  DetectIsdataatFree(idad);
263  DetectContentData *cd = (DetectContentData *)prev_pm->ctx;
265  ret = 0;
266  goto end;
267  }
268 
269  sm = SigMatchAlloc();
270  if (sm == NULL)
271  goto end;
272  sm->type = DETECT_ISDATAAT;
273  sm->ctx = (SigMatchCtx *)idad;
274  SigMatchAppendSMToList(s, sm, sm_list);
275 
276  if (!(idad->flags & ISDATAAT_RELATIVE)) {
277  ret = 0;
278  goto end;
279  }
280 
281  if (prev_pm == NULL) {
282  ret = 0;
283  goto end;
284  }
285 
286  if (prev_pm->type == DETECT_CONTENT) {
287  DetectContentData *cd = (DetectContentData *)prev_pm->ctx;
289  } else if (prev_pm->type == DETECT_PCRE) {
290  DetectPcreData *pd = (DetectPcreData *)prev_pm->ctx;
292  }
293 
294  ret = 0;
295 
296 end:
297  if (offset)
298  SCFree(offset);
299  if (ret != 0)
300  DetectIsdataatFree(idad);
301  return ret;
302 }
303 
304 /**
305  * \brief this function will free memory associated with DetectIsdataatData
306  *
307  * \param idad pointer to DetectIsdataatData
308  */
309 void DetectIsdataatFree(void *ptr)
310 {
311  DetectIsdataatData *idad = (DetectIsdataatData *)ptr;
312  SCFree(idad);
313 }
314 
315 static int DetectEndsWithSetup (DetectEngineCtx *de_ctx, Signature *s, const char *nullstr)
316 {
317  SigMatch *pm = NULL;
318  int ret = -1;
319 
320  /* retrieve the sm to apply the depth against */
322  if (pm == NULL) {
323  SCLogError(SC_ERR_DEPTH_MISSING_CONTENT, "endswith needs a "
324  "preceding content option");
325  goto end;
326  }
327 
328  /* verify other conditions. */
330 
332 
333  ret = 0;
334  end:
335  return ret;
336 }
337 
338 #ifdef UNITTESTS
339 static int g_dce_stub_data_buffer_id = 0;
340 
341 /**
342  * \test DetectIsdataatTestParse01 is a test to make sure that we return a correct IsdataatData structure
343  * when given valid isdataat opt
344  */
345 static int DetectIsdataatTestParse01 (void)
346 {
347  int result = 0;
348  DetectIsdataatData *idad = NULL;
349  idad = DetectIsdataatParse("30 ", NULL);
350  if (idad != NULL) {
351  DetectIsdataatFree(idad);
352  result = 1;
353  }
354 
355  return result;
356 }
357 
358 /**
359  * \test DetectIsdataatTestParse02 is a test to make sure that we return a correct IsdataatData structure
360  * when given valid isdataat opt
361  */
362 static int DetectIsdataatTestParse02 (void)
363 {
364  int result = 0;
365  DetectIsdataatData *idad = NULL;
366  idad = DetectIsdataatParse("30 , relative", NULL);
367  if (idad != NULL && idad->flags & ISDATAAT_RELATIVE && !(idad->flags & ISDATAAT_RAWBYTES)) {
368  DetectIsdataatFree(idad);
369  result = 1;
370  }
371 
372  return result;
373 }
374 
375 /**
376  * \test DetectIsdataatTestParse03 is a test to make sure that we return a correct IsdataatData structure
377  * when given valid isdataat opt
378  */
379 static int DetectIsdataatTestParse03 (void)
380 {
381  int result = 0;
382  DetectIsdataatData *idad = NULL;
383  idad = DetectIsdataatParse("30,relative, rawbytes ", NULL);
384  if (idad != NULL && idad->flags & ISDATAAT_RELATIVE && idad->flags & ISDATAAT_RAWBYTES) {
385  DetectIsdataatFree(idad);
386  result = 1;
387  }
388 
389  return result;
390 }
391 
392 /**
393  * \test Test isdataat option for dce sig.
394  */
395 static int DetectIsdataatTestParse04(void)
396 {
397  Signature *s = SigAlloc();
398  int result = 1;
399 
401  SigFree(s);
402  return 0;
403  }
404 
405  result &= (DetectIsdataatSetup(NULL, s, "30") == 0);
406  result &= (s->sm_lists[g_dce_stub_data_buffer_id] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL);
407  SigFree(s);
408 
409  s = SigAlloc();
411  SigFree(s);
412  return 0;
413  }
414  /* failure since we have no preceding content/pcre/bytejump */
415  result &= (DetectIsdataatSetup(NULL, s, "30,relative") == 0);
416  result &= (s->sm_lists[g_dce_stub_data_buffer_id] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL);
417 
418  SigFree(s);
419 
420  return result;
421 }
422 
423 /**
424  * \test Test isdataat option for dce sig.
425  */
426 static int DetectIsdataatTestParse05(void)
427 {
428  DetectEngineCtx *de_ctx = NULL;
429  int result = 1;
430  Signature *s = NULL;
431  DetectIsdataatData *data = NULL;
432 
433  de_ctx = DetectEngineCtxInit();
434  if (de_ctx == NULL)
435  goto end;
436 
437  de_ctx->flags |= DE_QUIET;
438  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
439  "(msg:\"Testing bytejump_body\"; "
440  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
441  "dce_stub_data; "
442  "content:\"one\"; distance:0; "
443  "isdataat:4,relative; sid:1;)");
444  if (de_ctx->sig_list == NULL) {
445  result = 0;
446  goto end;
447  }
448  s = de_ctx->sig_list;
449  if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
450  result = 0;
451  goto end;
452  }
453  result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_ISDATAAT);
454  data = (DetectIsdataatData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
455  if ( !(data->flags & ISDATAAT_RELATIVE) ||
456  (data->flags & ISDATAAT_RAWBYTES) ) {
457  result = 0;
458  goto end;
459  }
460 
461  s->next = SigInit(de_ctx, "alert tcp any any -> any any "
462  "(msg:\"Testing bytejump_body\"; "
463  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
464  "dce_stub_data; "
465  "content:\"one\"; distance:0; "
466  "isdataat:4,relative; sid:1;)");
467  if (s->next == NULL) {
468  result = 0;
469  goto end;
470  }
471  s = s->next;
472  if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
473  result = 0;
474  goto end;
475  }
476  result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_ISDATAAT);
477  data = (DetectIsdataatData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
478  if ( !(data->flags & ISDATAAT_RELATIVE) ||
479  (data->flags & ISDATAAT_RAWBYTES) ) {
480  result = 0;
481  goto end;
482  }
483 
484  s->next = SigInit(de_ctx, "alert tcp any any -> any any "
485  "(msg:\"Testing bytejump_body\"; "
486  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
487  "dce_stub_data; "
488  "content:\"one\"; distance:0; "
489  "isdataat:4,relative,rawbytes; sid:1;)");
490  if (s->next == NULL) {
491  result = 0;
492  goto end;
493  }
494  s = s->next;
495  if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
496  result = 0;
497  goto end;
498  }
499  result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_ISDATAAT);
500  data = (DetectIsdataatData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
501  if ( !(data->flags & ISDATAAT_RELATIVE) ||
502  !(data->flags & ISDATAAT_RAWBYTES) ) {
503  result = 0;
504  goto end;
505  }
506 
507  s->next = SigInit(de_ctx, "alert tcp any any -> any any "
508  "(msg:\"Testing bytejump_body\"; "
509  "content:\"one\"; isdataat:4,relative,rawbytes; sid:1;)");
510  if (s->next == NULL) {
511  result = 0;
512  goto end;
513  }
514  s = s->next;
515  if (s->sm_lists_tail[g_dce_stub_data_buffer_id] != NULL) {
516  result = 0;
517  goto end;
518  }
519 
520  end:
521  SigGroupCleanup(de_ctx);
522  SigCleanSignatures(de_ctx);
523  DetectEngineCtxFree(de_ctx);
524 
525  return result;
526 }
527 
528 static int DetectIsdataatTestParse06(void)
529 {
531  FAIL_IF(de_ctx == NULL);
532  de_ctx->flags |= DE_QUIET;
533 
534  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
535  "(msg:\"Testing bytejump_body\"; "
536  "content:\"one\"; "
537  "isdataat:!4,relative; sid:1;)");
538  FAIL_IF(s == NULL);
539 
540  FAIL_IF(s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL);
541 
542  FAIL_IF_NOT(s->sm_lists_tail[DETECT_SM_LIST_PMATCH]->type == DETECT_ISDATAAT);
543  DetectIsdataatData *data = (DetectIsdataatData *)s->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
544 
548 
549  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
550  "(msg:\"Testing bytejump_body\"; "
551  "content:\"one\"; "
552  "isdataat: !4,relative; sid:2;)");
553  FAIL_IF(s == NULL);
554 
555  FAIL_IF(s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL);
556 
557  FAIL_IF_NOT(s->sm_lists_tail[DETECT_SM_LIST_PMATCH]->type == DETECT_ISDATAAT);
558  data = (DetectIsdataatData *)s->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
559 
563  DetectEngineCtxFree(de_ctx);
564 
565  PASS;
566 }
567 
568 /**
569  * \test DetectIsdataatTestPacket01 is a test to check matches of
570  * isdataat, and isdataat relative
571  */
572 static int DetectIsdataatTestPacket01 (void)
573 {
574  int result = 0;
575  uint8_t *buf = (uint8_t *)"Hi all!";
576  uint16_t buflen = strlen((char *)buf);
577  Packet *p[3];
578  p[0] = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
579  p[1] = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_UDP);
580  p[2] = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_ICMP);
581 
582  if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
583  goto end;
584 
585  const char *sigs[5];
586  sigs[0]= "alert ip any any -> any any (msg:\"Testing window 1\"; isdataat:6; sid:1;)";
587  sigs[1]= "alert ip any any -> any any (msg:\"Testing window 2\"; content:\"all\"; isdataat:1, relative; isdataat:6; sid:2;)";
588  sigs[2]= "alert ip any any -> any any (msg:\"Testing window 3\"; isdataat:8; sid:3;)";
589  sigs[3]= "alert ip any any -> any any (msg:\"Testing window 4\"; content:\"Hi\"; isdataat:5, relative; sid:4;)";
590  sigs[4]= "alert ip any any -> any any (msg:\"Testing window 4\"; content:\"Hi\"; isdataat:6, relative; sid:5;)";
591 
592  uint32_t sid[5] = {1, 2, 3, 4, 5};
593 
594  uint32_t results[3][5] = {
595  /* packet 0 match sid 1 but should not match sid 2 */
596  {1, 1, 0, 1, 0},
597  /* packet 1 should not match */
598  {1, 1, 0, 1, 0},
599  /* packet 2 should not match */
600  {1, 1, 0, 1, 0} };
601 
602  result = UTHGenericTest(p, 3, sigs, sid, (uint32_t *) results, 5);
603 
604  UTHFreePackets(p, 3);
605 end:
606  return result;
607 }
608 
609 /**
610  * \test DetectIsdataatTestPacket02 is a test to check matches of
611  * isdataat, and isdataat relative works if the previous keyword is pcre
612  * (bug 144)
613  */
614 static int DetectIsdataatTestPacket02 (void)
615 {
616  int result = 0;
617  uint8_t *buf = (uint8_t *)"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
618  "User-Agent: Wget/1.11.4"
619  "Accept: */*"
620  "Host: www.google.com"
621  "Connection: Keep-Alive"
622  "Date: Mon, 04 Jan 2010 17:29:39 GMT";
623  uint16_t buflen = strlen((char *)buf);
624  Packet *p;
625  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
626 
627  if (p == NULL)
628  goto end;
629 
630  char sig[] = "alert tcp any any -> any any (msg:\"pcre with"
631  " isdataat + relative\"; pcre:\"/A(ll|pp)WorkAndNoPlayMakesWillA"
632  "DullBoy/\"; isdataat:96,relative; sid:1;)";
633 
634  result = UTHPacketMatchSig(p, sig);
635 
636  UTHFreePacket(p);
637 end:
638  return result;
639 }
640 
641 /**
642  * \test DetectIsdataatTestPacket03 is a test to check matches of
643  * isdataat, and isdataat relative works if the previous keyword is byte_jump
644  * (bug 146)
645  */
646 static int DetectIsdataatTestPacket03 (void)
647 {
648  int result = 0;
649  uint8_t *buf = (uint8_t *)"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
650  "User-Agent: Wget/1.11.4"
651  "Accept: */*"
652  "Host: www.google.com"
653  "Connection: Keep-Alive"
654  "Date: Mon, 04 Jan 2010 17:29:39 GMT";
655  uint16_t buflen = strlen((char *)buf);
656  Packet *p;
657  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
658 
659  if (p == NULL)
660  goto end;
661 
662  char sig[] = "alert tcp any any -> any any (msg:\"byte_jump match = 0 "
663  "with distance content HTTP/1. relative against HTTP/1.0\"; byte_jump:1,"
664  "46,string,dec; isdataat:87,relative; sid:109; rev:1;)";
665 
666  result = UTHPacketMatchSig(p, sig);
667 
668  UTHFreePacket(p);
669 end:
670  return result;
671 }
672 #endif
673 
674 /**
675  * \brief this function registers unit tests for DetectIsdataat
676  */
678 {
679 #ifdef UNITTESTS
680  g_dce_stub_data_buffer_id = DetectBufferTypeGetByName("dce_stub_data");
681 
682  UtRegisterTest("DetectIsdataatTestParse01", DetectIsdataatTestParse01);
683  UtRegisterTest("DetectIsdataatTestParse02", DetectIsdataatTestParse02);
684  UtRegisterTest("DetectIsdataatTestParse03", DetectIsdataatTestParse03);
685  UtRegisterTest("DetectIsdataatTestParse04", DetectIsdataatTestParse04);
686  UtRegisterTest("DetectIsdataatTestParse05", DetectIsdataatTestParse05);
687  UtRegisterTest("DetectIsdataatTestParse06", DetectIsdataatTestParse06);
688 
689  UtRegisterTest("DetectIsdataatTestPacket01", DetectIsdataatTestPacket01);
690  UtRegisterTest("DetectIsdataatTestPacket02", DetectIsdataatTestPacket02);
691  UtRegisterTest("DetectIsdataatTestPacket03", DetectIsdataatTestPacket03);
692 #endif
693 }
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
#define ISDATAAT_OFFSET_BE
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1448
SignatureInitData * init_data
Definition: detect.h:591
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1186
#define SCLogDebug(...)
Definition: util-debug.h:335
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
#define PASS
Pass the test.
#define unlikely(expr)
Definition: util-optimize.h:35
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
#define PARSE_REGEX
Regex for parsing our isdataat options.
Signature * sig_list
Definition: detect.h:767
uint64_t offset
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
void SigCleanSignatures(DetectEngineCtx *de_ctx)
#define ISDATAAT_RELATIVE
#define MAX_SUBSTRINGS
#define ISDATAAT_RAWBYTES
const char * name
Definition: detect.h:1200
Signature container.
Definition: detect.h:522
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:313
uint16_t flags
Definition: detect-pcre.h:42
main detection engine ctx
Definition: detect.h:761
int ByteExtractStringUint16(uint16_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:264
int DetectBufferGetActiveList(DetectEngineCtx *de_ctx, Signature *s)
#define DE_QUIET
Definition: detect.h:292
int DetectBufferTypeGetByName(const char *name)
uint8_t flags
Definition: detect.h:762
void(* Free)(void *)
Definition: detect.h:1191
#define ISDATAAT_NEGATED
int UTHPacketMatchSig(Packet *p, const char *sig)
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
void SigFree(Signature *)
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void DetectSetupParseRegexes(const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
#define DETECT_SM_LIST_NOTSET
Definition: detect.h:115
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1170
int SigGroupCleanup(DetectEngineCtx *de_ctx)
struct Signature_ * next
Definition: detect.h:594
uint8_t type
Definition: detect.h:319
void DetectIsdataatFree(void *)
this function will free memory associated with DetectIsdataatData
#define DETECT_CONTENT_ENDS_WITH
const char * desc
Definition: detect.h:1202
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:346
Signature * SigAlloc(void)
SigMatch * DetectByteExtractRetrieveSMVar(const char *arg, const Signature *s)
Lookup the SigMatch for a named byte_extract variable.
SigMatchCtx * ctx
Definition: detect.h:321
#define SCMalloc(a)
Definition: util-mem.h:222
#define SCFree(a)
Definition: util-mem.h:322
PoolThreadReserved res
int UTHGenericTest(Packet **pkt, int numpkts, const char *sigs[], uint32_t sids[], uint32_t *results, int numsigs)
UTHGenericTest: function that perfom a generic check taking care of as maximum common unittest elemen...
#define SIGMATCH_NOOPT
Definition: detect.h:1369
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us. ...
Definition: detect-parse.c:465
const char * url
Definition: detect.h:1203
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself...
void DetectIsdataatRegisterTests(void)
this function registers unit tests for DetectIsdataat
#define SCStrdup(a)
Definition: util-mem.h:268
#define DOC_URL
Definition: suricata.h:86
void DetectIsdataatRegister(void)
Registration function for isdataat: keyword.
#define DETECT_PCRE_RELATIVE_NEXT
Definition: detect-pcre.h:32
#define DETECT_CONTENT_RELATIVE_NEXT
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:232
Holds data related to byte_extract keyword.
int SigMatchListSMBelongsTo(const Signature *s, const SigMatch *key_sm)
Definition: detect-parse.c:619
#define DOC_VERSION
Definition: suricata.h:91
uint16_t flags
Definition: detect.h:1194
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
int DetectIsdataatSetup(DetectEngineCtx *, Signature *, const char *)
This function is used to add the parsed isdataatdata into the current signature.
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself...
void(* RegisterTests)(void)
Definition: detect.h:1192
a single match condition for a signature
Definition: detect.h:318
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
DetectEngineCtx * DetectEngineCtxInit(void)